Group Management Comparison

Posted on by Carol

Following on from my last post about the overlaps between FIM and Exchange 2010 I wanted to clarify for myself the group management capabilities in FIM, Exchange 2010 and ILM.

Warning: I will have to revisit this post – as I haven’t yet installed Exchange 2010 in a production environment the Exchange comments are based on reading rather than hands-on experience, and in particular I’m unsure about the management of email-enabled Security groups.

Exchange Distribution Groups
  FIM 2010 Exchange 2010 ILM 2007
or FIM Sync
Rules based
eg., “All Finance Dept”		 Managed and populated in FIM Portal.

  • All users must also be represented in FIM Portal.
 Dynamic Distribution Lists External genarator needed
Eg., Group Populator
Manually populated Managed and populated in FIM Portal.

  • Owner approval workflow,
  • Join and approve in Outlook,
  • Create, join and approve in FIM Portal.
 Managed and populated directly in AD

  • Owner approval workflow,
  • Request and approve in Outlook,
  • Create in ECP.
 No native functionality to permit manual group popluation.
Synchronizes membership lists from one system to another (eg., from a database table to AD).
Other Management
  • Manage other attributes, eg., who can send to the list,
  • Auto-generate new groups, eg., for a new Department or Location (with Workflow development).
 Exchange management tools. Synchronize any attribute, though it must be generated somewhere outside ILM.
Access Control Permissions to create, delete, modify granted in FIM Portal only. Permissions to create, delete, modify granted in AD – though RBAC simplifies. N/A

 
 

Security Groups
  FIM 2010 Exchange 2010 ILM 2007
or FIM Sync
Rules based
eg., “All Finance Dept”		 Populated and managed in FIM Portal.

  • All users must also be represented in FIM Portal.
 N/A External genarator needed
Eg., Group Populator
Manually populated Managed and populated in FIM Portal.

  • Owner approval workflow,
  • Join and approve in Outlook only if the group has an email address,
  • Create, join and approve in FIM Portal.
 Membership management for Security groups with email address?

N/A for non-email emabled Security groups.

 No native functionality to permit manual group popluation.
Synchronizes membership lists from one system to another (eg., from a database table to AD).
Other Management
  • Replicate the groups to other systems – not just AD,
  • Auto-generate new groups, eg., for a new Department or Location (with Workflow development).
 Mail-enable existing AD Security groups using Exchange management tools. Replicate the groups to other systems – not just AD.
Access Control Permissions to create, delete, modify granted in FIM Portal only. N/A N/A

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.